files_accesscontrol icon indicating copy to clipboard operation
files_accesscontrol copied to clipboard
verified publisher icon nextcloud

Flow denial on uploading private files prevents NC Talk Folder access/creation

Open rkwillig opened this issue 4 years ago • 2 comments

Steps to reproduce

  1. Creating flow rule with following filters: "Tag - not tagged by - TAGNAME" && "User Group is not ADMIN"
  2. Installing nextcloud Talk App
  3. Create new user

Expected behaviour

User is able to login and is able to use Nextcloud Talk

Actual behaviour

On first login User is getting an internal server error, log shows that the flow rule denies creation of "Talk" folder in user directory. pre-creating the folder "Talk" by skeleton directory ist working to create the folder and let's the user log in, but the user has no access on the "Talk" folder because of the flow restrictions. I haven't found any way to exclude the folder from the rule, so the user can use NC Talk.

Users should not be able to upload files to their own NC (Home) folder, but they should be able to work in shared folders and should be able to use NC Talk.

Server configuration

Operating system: Debian 9

Web server: nginx

Database: mariadb 15.1

PHP version: 7.4

Nextcloud version: 21 & 22

Where did you install Nextcloud from: .zip-package from nextcloud.com

Signing status:

No errors have been found.

List of activated apps:

Enabled:
  - accessibility: 1.7.0
  - activity: 2.15.0
  - bruteforcesettings: 2.2.0
  - circles: 22.0.0
  - cloud_federation_api: 1.4.0
  - comments: 1.11.0
  - contactsinteraction: 1.2.0
  - dashboard: 7.1.0
  - dav: 1.18.0
  - federatedfilesharing: 1.11.0
  - federation: 1.11.0
  - files: 1.16.0
  - files_accesscontrol: 1.12.0
  - files_automatedtagging: 1.12.0
  - files_pdfviewer: 2.3.0
  - files_rightclick: 1.1.0
  - files_sharing: 1.13.2
  - files_trashbin: 1.11.0
  - files_versions: 1.14.0
  - files_videoplayer: 1.11.0
  - firstrunwizard: 2.11.0
  - logreader: 2.7.0
  - lookup_server_connector: 1.9.0
  - nextcloud_announcements: 1.11.0
  - notifications: 2.10.1
  - oauth2: 1.9.0
  - onlyoffice: 7.0.4
  - password_policy: 1.12.0
  - photos: 1.4.0
  - privacy: 1.6.0
  - provisioning_api: 1.11.0
  - recommendations: 1.1.0
  - serverinfo: 1.12.0
  - settings: 1.3.0
  - sharebymail: 1.11.0
  - spreed: 12.0.1
  - support: 1.5.0
  - survey_client: 1.10.0
  - systemtags: 1.11.0
  - text: 3.3.0
  - theming: 1.12.0
  - twofactor_backupcodes: 1.10.1
  - updatenotification: 1.11.0
  - user_status: 1.1.1
  - viewer: 1.6.0
  - weather_status: 1.1.0
  - workflowengine: 2.3.0
Disabled:
  - admin_audit
  - audioplayer
  - encryption
  - files_external
  - user_ldap

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.CUSTOMERDOMAIN.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "22.0.0.11",
        "overwrite.cli.url": "http:\/\/cloud.CUSTOMERDOMAIN.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "loglevel": 1,
        "default_language": "de_DE",
        "default_locale": "de_DE",
        "sharing.interal_shares_accepted": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": true,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "skeletondirectory": "\/var\/www\/clients\/client5\/web12\/web\/keinedaten",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 5,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "theme": "",
        "maintenance": false,
        "defaultapp": "files",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "email_template_CUSTOMER"
        ],
        "updater.release.channel": "stable"
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Chrome/Firefox/Edge

Operating system: Win10

rkwillig avatar Jul 28 '21 10:07 rkwillig

Maybe you can Allow the name Talk independent from the absence of the Tag? Not sure this is otherwise solvable at the moment.

nickvergessen avatar May 10 '23 14:05 nickvergessen

This issue will probably appear for all folders created automatically by apps (calendar or collectives for example)

maximelehericy avatar Aug 24 '23 09:08 maximelehericy